mah_one Posted April 16, 2013 Report Share Posted April 16, 2013 Title: Billsafe.de - 2 ways to enter in any account and 2 Reflected XSSSecurity Reward Program : https://www.paypal.com/us/webapps/mpp/security/reporting-security-issuesAffected Product: Billsafe Inc.Date: 17.04.2013Severity: High.Status: All vulnerabilites has been fixed In video-ul de mai sus sunt prezentate cele doua modalitati sa intrii in conturi + 1 Reflected XSSal doilea ar fi: https://client.billsafe.de/search/perform-claim-search/orderc/Käufer/dirc/etc'"><object data=jAvascriPt:alert(1)>Am mai gasit si 2 stored XSS dar au fost duplicate:https://rstforums.com/forum/68125-billsafe-de-stored-xss-paypal.rst Quote Link to comment Share on other sites More sharing options...
dekeeu Posted April 16, 2013 Report Share Posted April 16, 2013 Good job !Cat ai luat pe prima vulnerabilitate (cea cu conturile) ? Quote Link to comment Share on other sites More sharing options...
chioara3 Posted April 17, 2013 Report Share Posted April 17, 2013 Bravo. Cat ai luat ? Quote Link to comment Share on other sites More sharing options...
Domnul.Do Posted April 17, 2013 Report Share Posted April 17, 2013 Care este criteriu/clasificarea la "Severity" ? Quote Link to comment Share on other sites More sharing options...
mah_one Posted April 18, 2013 Author Report Share Posted April 18, 2013 criteriul este probabillitatea*impact=riscSunt 3 nivele:Low; Medium; High;probabilitatea este undeva la 30% sa se intample, iar impactul este foarte mare asupra imaginii firmei, pentru mine este o vulnerabilitate extrem de mare. Quote Link to comment Share on other sites More sharing options...
mah_one Posted May 30, 2013 Author Report Share Posted May 30, 2013 Mi-au zis ca e invalida problema asta.Nu am falsificat nimic in video.Nu imi vine sa cred:(P.S.: imi cam dau seama ce s-a intamplat, pe 27.01 unul de la vulnerability lab le-a trimis o problema cum sa fure orice cont de pe client.billsafe.de, dev team-ul de pe client.billsafe.de au reparat problema rapid, eu pe 19.02 am trimis partial aceeasi problema(vezi video de mai sus). Eu le-am explicat ca ar putea fi valida si ca ce a trimis primul researcher nu e aceeasi problema cu ce am trimis eu, iar ei mi-au pus "INVALID" la status.Sorry for double post, dar nu avea rost sa mai deschid alt topic. Quote Link to comment Share on other sites More sharing options...